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Abstract 

The Biichi non-emptiness problem for timed automata refers to de- 
ciding if a given automaton has an infinite non-Zeno run satisfying the 
Biichi accepting condition. The standard solution to this problem involves 
adding an auxiliary clock to take care of the non-Zenoness. In this paper, 
it is shown that this simple transformation may sometimes result in an ex- 
ponential blowup. A construction avoiding this blowup is proposed. It is 
also shown that in many cases, non-Zenoness can be ascertained without 
extra construction. An on-the-fly algorithm for the non-emptiness prob- 
lem, using non-Zenoness construction only when required, is proposed. 
Experiments carried out with a prototype implementation of the algo- 
rithm are reported. 

1 Introduction 

Timed automata pQ are widely used to model real-time systems. They are ob- 
tained from finite automata by adding clocks that can be reset and whose values 
can be compared with constants. The crucial property of timed automata is that 
their emptiness is decidable. This model has been implemented in verification 
tools like Uppaal [I] or Kronos [TU], and used in industrial case studies [T71 151 12U] . 

While most tools concentrate on the reachability problem, questions con- 
cerning infinite executions of timed automata are also of interest. In the case 
of infinite executions one has to eliminate the so-called Zeno runs. These are 
executions that contain infinitely many steps taken in a finite time interval. For 
obvious reasons such executions are considered unrealistic. One way to treat 
Zeno runs would be to say that a timed automaton admitting such a run is 
faulty and should be disregarded. This gives rise to the problem of detecting 
the existence of Zeno runs in an automaton [9l [TBI EES] ■ The other approach to 
handling Zeno behaviours, that we adopt here, is to say that due to imprecisions 
introduced by the modeling process one may need to work with automata having 
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Zeno runs. This leads to the problem of this paper: given a timed automaton 
decide if it has a non-Zeno run passing through accepting states infinitely often. 
We call this the Biichi non- emptiness problem. 

This basic problem pQ has been studied already in the paper introducing 
timed automata. It has been shown that using so-called region abstraction the 
problem can be reduced to the problem of finding a path in a finite region graph 
satisfying some particular conditions. The main difference between the cases of 
finite and infinite executions is that in the latter one needs to decide if the path 
that has been found corresponds to a non-Zeno run of the automaton. 

Subsequent research has shown that the region abstraction is very inefficient 
for reachability problems. Another method using zones instead of regions has 
been proposed [13] . It is used at present in all timed- verification tools. While 
simple at the first sight, the zone abstraction was delicate to get right [7]. This 
is mainly because the basic properties of regions do not transfer to zones. The 
zone abstraction also works for infinite executions, but unlike for regions, it is 
impossible to decide if a path in a zone graph corresponds to a non-Zeno run of 
the automaton. 

There exists a simple solution to the problem of Zeno runs that amounts to 
transforming automata in such way that every run passing through an accepting 
state infinitely often is non-Zeno. An automaton with such a property is called 
strongly non-Zeno. The transformation is easy to describe and requires the 
addition of one new clock. This paper is motivated by our experiments with 
an implementation of this construction. We have observed that this apparently 
simple transformation can give a big overhead in the size of a zone graph. 

In this paper we closely examine the transformation to strongly non-Zeno 
automata [25] , and show that it can inflict a blowup of the zone graph; and this 
blowup could even be exponential in the number of clocks. To substantiate, we 
exhibit an example of an automaton having a zone graph of polynomial size, 
whose transformed version has a zone graph of exponential size. We propose an- 
other solution to avoid this phenomenon. Instead of modifying the automaton, 
we modify the zone graph. We show that this modification allows us to detect 
if a path in the zone graph can be instantiated to a non-Zeno run. Moreover 
the size of the modified graph is |ZG(.4)| • where |ZG(.A)| is the size of 

the zone graph and \X\ is the number of clocks. 

In the second part of the paper we propose an on-the-fly algorithm for testing 
the existence of accepting non-Zeno runs in timed Biichi automata. The problem 
we face highly resembles the emptiness testing of finite automata with gener- 
alized Biichi conditions. Since the most efficient solutions for the latter prob- 
lem are based on Tarjan's algorithm to detect strongly-connected-components 
(SCCs) [TS], we take the same route here. We additionally observe that 
Biichi emptiness can sometimes be decided directly from the zone graph. This 
permits to restrict the use of the modified zone graph construction only to 
certain parts of the zone graph. In cases when no clock comparisons of the 
form x = are reachable from the initial state of the automaton, the algo- 
rithm runs in time OQZG(A)\ ■ \X\). Further, the optimized algorithm runs 
in time 0(\ZG(A)\) when no reachable SCC contains a blocking clock: that 
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is, a clock that is bounded (e.g. x < 1) but never reset in the SCC. We also 
give additional optimizations that prove to be powerful in practice. We include 
experiments conducted on examples in the literature. 

1.1 Related work 

The zone approach has been introduced in the Petri net context [6], and then 
adapted to the framework of timed automata [14] . The advantage of zones over 
regions is that they do not require to consider every possible unit time interval 
separately. The delicate point about zones was to find a right approximation 
operator. Usual approximation operators are sound and complete: each path 
in the zone graph can be instantiated as a run in the automaton and vice- 
versa. While this is enough for correctness of the reachability algorithm, it does 
not allow however to determine if a path can be instantiated to a non-Zeno 
run. The solution involving adding one clock has been discussed in [23j [25j [2] . 
Recently, Tripakis |24j has shown a way to extract an accepting run from a 
zone graph of the automaton. Combined with the construction of adding one 
clock this gives a solution to the Biichi emptiness problem. Since, as we show 
here, adding one clock may be costly, this solution is costly too. A different 
approach has been considered in [SJ 116) where some sufficient conditions are 
proposed for a timed automaton to be free from Zeno runs. Notice that for 
obvious complexity reasons, any such condition must be either not complete, or 
of the same algorithmic complexity as the emptiness test itself. 

1.2 Organization of the paper 

In the next section we formalize our problem, and discuss region and zone 
abstractions. As an intermediate step we give a short proof of the above men- 
tioned result from |24j . Section [3] explains the problems with the transformation 
to strongly non-Zeno automata, and describes our alternative method. The fol- 
lowing section is devoted to a description of the algorithm. We conclude with 
the results of the experiments performed. 

2 The Emptiness Problem for Timed Biichi Au- 
tomata 

2.1 Timed Biichi Automata 

Let A be a set of clocks, i.e., variables that range over R>o, the set of non- 
negative real numbers. Clock constraints are conjunctions of comparisons of 
variables with integer constants: x^c where x 6 A is a clock, c £ N and 
# G {<, <, =, >, >}. For instance (x < 3 A y > 0) is a clock constraint. Let 
$(A) denote the set of clock constraints over clock variables A. 

A clock valuation over A is a function v : A — > R>o- We denote JR> for 
the set of clock valuations over A, and : A — > {0} for the valuation that 
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associates to every clock in X. We write v |= <fi when v satisfies </>, i.e. when 
every constraint in <fi holds after replacing every x by v{x). 

For a valuation v and S G K>o, let (y + S) be the valuation such that 
(y + S)(x) = v(x) + S for all id. For a set i? C X, let [R]v be the valuation 
such that {[R]v){x) = if x G i? and = ^(x) otherwise. 

A Timed Biichi Automaton (TBA) is a tuple A = (Q,qo,X 7 T, Acc) where 
Q is a finite set of states, qo G Q is the initial state, X is a finite set of clocks, 
Acc C Q is a set of accepting states, and T C Q x x 2 X x Q is a finite set 

of transitions (<?, g, R, q') where g is a guard, and i? is a reset of the transition. 

A configuration of .4 is a pair (q, v) G Q x K> ; with (qo,0) being the 

initial configuration. A transition (q,v) — > (q' for t = (q, g, R, q') € T and 
(5 € M>o is defined when z/ + <5 N 5 and i/' = + 5). 

A nm of is an infinite sequence of configurations connected by transitions, 
starting from the initial state qo and the initial valuation vq = 0: 

(go,^o) >• (<h,vi) > ■■■ 

A run a satisfies the Biichi condition if it visits accepting configurations infinitely 
often, that is configurations with a state from Acc. The duration of the run is 
the accumulated delay: X^>o^- ^ n mnn ite run a is Zeno if it has a finite 
duration. 

Definition 1 The Biichi non-emptiness problem is to decide if A has a non- 
Zeno run satisfying the Biichi condition. 

The Biichi non-emptiness problem is known to be PsPACE-complete pQ. 

The class of TBA we consider is usually known as diagonal-free TBA since 
clock comparisons like x — y < 1 are disallowed. Since we are interested in 
the Biichi non-emptiness problem, we can consider automata without an input 
alphabet and without invariants since they can be simulated by guards. 

2.2 Regions and region graphs 

A simple decision procedure for the Biichi non-emptiness problem builds from 
A a graph called the region graph and tests if there is a path in this graph 
satisfying certain conditions. We will define two types of regions. 

Fix a constant M and a finite set of clocks X. Two valuations u, v' G M> 
are region equivalent w.r.t. M, denoted v v' iff for every x, y G X: 

1. v{x) > M ifiVO) > M; 

2. if u(x) < M, then [iy(x)\ = [v'(x)\; 

3. if v{x) < M, then {v(x)} = iff {v'{x)} = 0; 

4. if v{x) < M and v{y) < M then {v{x)} < {v{y)} iff {v'{x)} < {v'{y)}. 
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The first three conditions ensure that the two valuations satisfy the same 
guards as clock constraints are defined with respect to integer bounds and M is 
the maximal constant in A. The last one enforces that for every 6 G K>o there 
is 5' G R>o, such that valuations v + 6 and v' + 5' satisfy the same guards since 
the difference of x and y is invariant by time elapse. 

We will also define diagonal region equivalence ( d-region equivalence for 
short) that strengthens the last condition to 

A d . for every integer c G (—M,M): v{x) — v{y) < c iff v'(x) — v'{y) < c 

This region equivalence is denoted by ~^f- Observe that it is finer than ^m- 

A region is an equivalence class of ~m- We write for the region of 

is, and TZm for the set of all regions with respect to M. Similarly, for d-region 
equivalence we write: [t / ]i Af and TZ M . If r is a region or a d-region then we will 
write r N g to mean that every valuation in r satisfies the guard g. Observe 
that all valuations in a region, or a d-region, satisfy the same guards. 

For an automaton A, we define its region graph, RG(A), using the rela- 
tion, where M is the biggest constant appearing in the guards of its transitions. 
Without loss of generality we assume that M > 0, in other words there is at 
least one guard in A. Nodes of RG(A) are of the form (q, r) for q a state of 
A and r G TZm a region. There is a transition (q,r) A (q',r') if there are 

v G r, 5 G M>o and v' G r' with (q, v) (q' , i/). Observe that a transition in 
the region graph is not decorated with a delay. The graph RG d (A) is defined 
similarly but using the relation. 

It will be important to understand the properties of pre- and post-stability of 
regions or d-regions [25 . We state them formally. A transition (q,r) A (q',r') 
in a region graph or a d-region graph is: 

• Pre-stable if for every v G r there are v' G r' , S G K>o s.t. (g, v) — % 



• Post-stable if for every v' G r' there are v G r, 5 G !K>o s.t. (g, v) 



The following lemma explains our interest in ~ M relation. The main fact is 
that both region graphs are pre-stable and this allows to decide the existence 
of a non-Zeno run easily by Theorem |4l 

Lemma 2 (Pre and post-stability |8j) Transitions in RG d (A) are pre-stable 
and post-stable. Transitions in RG(A) are pre-stable but not necessarily post- 
stable. 

Consider two sequences 



s.i 



(So,fo) - 
(qo,r Q ) 



<5o>*o 



(1) 
(2) 



to 
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where the first is a run in A, and the second is a path in RG(A) or RG d (A). 
We say that the first is an instantiation of the second if vi £ for all i > 0. 
Equivalently, we say that the second is an abstraction of the first. The following 
lemma is a direct consequence of the pre-stability property. 

Lemma 3 Every path in RG(A) is an abstraction of a run of A, and conversely, 
every run of A is an instantiation of a path in RG(A). Similarly for RG d (A). 

This lemma allows us to relate the existence of an accepting run of A to the 
existence of paths with special properties in RG{A) or RG d (A). We say that a 
path as in ([2J satisfies the Biichi condition if it has infinitely many occurrences 
of states from Acc. The path is called progressive [Tll25j if for every clock 

• either x is almost always above M: there is n with r*j N a; > M for all 

i > n; 

• or x is reset infinitely often and strictly positive infinitely often: for every 
n there are i,j > n such that n 1= (x = 0) and r*j N (a; > 0). 

Theorem 4 (|lj) A TBA A has a non-Zeno run satisfying the Biichi condi- 
tions iff RG(A) has a progressive path satisfying the Biichi condition. Similarly 
forRG d (A). 

The progress criterion above can be encoded adding an extra Biichi accepting 
condition [TJ [25] . While theorem @] gives an algorithm for solving our problem, 
it turns out that this method is very impractical. The number of regions for 
clocks X and constant M turns out to be 0(|X|!.2l x lMl' ,f >) [T] and constructing 
all of them, or even searching through them on-the-fly, has proved to be very 
costly. 

2.3 Zones and zone graphs 

Timed verification tools use zones instead of regions. A zone is a set of valuations 
defined by a conjunction of two kinds of constraints: comparison of the difference 
between two clocks with a constant like x — y4^c, or comparison of the value of a 
single clock with a constant like x#c for x £ X, c £ N and # £ {<, <, =, >, >}. 
For example (x — y > 1) A (y < 2) is a zone. While at first sight it may seem 
that there are more zones than regions, this is not the case if we count only 
those that are reachable from the initial valuation. 

Since zones are sets of valuations defined by constraints, one can define 
transitions directly on zones. For a transition t in A and a zone Z, we have 

(q, Z) A (q 1 , Z') if Z' is the set of valuations v' such that there exists v £ 

Z and 8 £ M>o and (q, v) ^> (q',v'). It is well-known that Z 1 is a zone. 
Moreover zones can be represented using Difference Bound Matrices (DBMs), 
and transitions can be computed efficiently on DBMs [T3] . The problem is that 
the number of reachable zones is not guaranteed to be finite [13] , 
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In order to ensure that the number of reachable zones is finite, one intro- 
duces abstraction operators. We mention the three most common ones in the 
literature. They refer to region graphs, RG(A) or RG d (A), and use the constant 
M that is the maximal constant appearing in the guards of A. 

• Closure m(Z): the smallest union of regions containing Z; 

• Closure d M {Z): similarly but for d-regions; 

• Approx M (Z): the smallest union of d-regions that is convex and that 
contains Z. 

The following lemma establishes the links between the three abstraction op- 
erators, and is very useful to transpose reachability results from one abstraction 
to the other. 

Lemma 5 (|8j) For every zone Z: Z C Closure d M (Z) C Approx M (Z) C 
Closure m(Z). 

Similar to region graphs, we define simulation graphs where after every tran- 
sition a specific approximation operation is used. So we have three graphs corre- 
sponding to the three approximation operations above. Notice that Closure m(Z) 
and Closure d M {Z) may not be convex, hence they may not be zones [8]. 

Take an automaton A and let M be the biggest constant that appears in 
the guards of its transitions. The simulation graph SG{A) has nodes of the 
form (q, S) where q is a state of A and S is a set of valuations. The initial 
node is (qo,{0}). There is a transition (q,S) A (q' , ClosureM(S'j) in SG(A) 

if S' is the set of valuations v' such that (q, v) (q', v 1 ) for some v G S and 
5 € K>o- Similarly, we define SG d (A) and SG a (A) by replacing Closure m with 
Closure^ and Approx M respectively. Observe that for every node (q, S) that is 
reachable in one of the three graphs above, S is a union of regions or d-regions. 
The notions of an abstraction of a run of A, and an instantiation of a path in 
the simulation graph, are defined in the same way as that of region graphs. 

Tools like Kronos or Uppaal use the Approx M abstraction. The two other 
abstractions are less interesting for implementations since the result may not be 
convex. Nevertheless, they are useful in proofs. The following Lemma (cf. [T5] ) 
says that transitions in SG(A) are post-stable with respect to regions. 

Lemma 6 Let (q, S) A (q' , S') be a transition in SG(A) such that both S and 
S' are unions of regions. For every region r' C S", there is a region r C S such 
that (q,r) A {q',r') is a transition in RG(A). 

Proof 

Take a transition (q,S) — > (q' , S') and let us examine what it means. By 
definition, 5" = ClosureM(S") where S" is the set of valuations v" that satisfy 

(q, v) ^> ((/, v") for some v € S and S 6 R>o- Consider r' C S"; the intersection 
r' n S" is not empty. Take v' £ r' n S" , and let v G S be a valuation such that 
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(1, = x < y) 



(2, = y < x) 



(0, = x = y) — ► (1, = x = y) — > (0, = x = y) — > (2, = y = x) ■» (0, = x = y) ■■■ 

Figure 1: A part of the region graph for the automaton Ai in Figure [9j 
(0, = x = y) —> (1, = x < y) — > (0, = x = y) — » (2, = y < x) ■» (0, = x = y) ■ ■ ■ 

Figure 2: A part of the symbolic graph for the automaton A2 in Figure [9] 

(q, v) — > {q' ,v') for some S 6 M>o- Let r be the region of v. We have that 
r [~l S is not empty, hence r C S* as S is a union of regions. By definition 
(g,r) A (q',r') is a transition in RG(A). □ 

We get a correspondence between paths in simulation graphs and runs of A. 

Theorem 7 (|24|) Every path in SG(A) is an abstraction of a run of A, and 

conversely, every run of A is an instantiation of a path in SG(A). Similarly 
for SG d and SG a . 

Proof 

We first show that a path in SG(A) is an abstraction of a run of A. Take a path 

(qo,So) (<Zi,Si) -h . . . in SG(A). Construct a DAG with nodes (i,qi,Ti) 
such that Ti is a region in S 1 ,. We put an edge from (i, g,, r*j) to (i + 1, <Zi+i, 

if (qi,r,i) fj_|_i). By Lemma |51 every node in this DAG has at least 

one predecessor, and the branching of every node is bounded by the number of 
regions. Hence, this DAG has an infinite path that is a path in RG(A). By 
Lemma [3] this path can be instantiated to a run of A. 

To conclude the proof one can easily verify that a run of A can be abstracted 
to a path in SG d {A). Then using Lemma [5] this path can be converted to a 
path in SG a (A), and later to one in SG(A). □ 

Observe that Theorem [7] does not guarantee that a path we find in a sim- 
ulation graph has an instantiation that is non-Zeno. This cannot be decided 
from SG(A) by using the progress criterion defined in page |6] as we show now. 
Consider for instance the automaton A2 in Figure [5] which has only Zeno runs 
as both x and y must remain equal to on every run. Figure [T] shows a part of 
RG(A2)- The infinite path starting from node (0,0 — x — y) is not progressive 
as none of the clocks can have a positive value. Moreover, it can be seen that ev- 
ery node where a clock has a positive value is a deadlock node. Figure depicts 
the corresponding part of SG{A2)- This path satisfies the progress criterion as 
both x and y are reset and may have positive values infinitely often, despite 
all its instantiations being Zeno. The progress criterion fails due to the loss of 
pre-stability in SG(A2)'- none of the valuations with either x > or y > have 
a successor. In Section we show how to avoid this problem. 
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W k = SNZ(V k ) 



Figure 3: The gadgets V k (left) and W k = SNZ(V k ) (right). 

In the subsequent sections, we are interested only in the simulation graph 
SG a (A). Observe that the symbolic zone obtained by the approximation of a 
zone using Approx M is in fact a zone. Hence, we prefer to call it a zone graph 
and denote it as ZG a {A). Every node of ZG a (A) is of the form (q, Z) where Z 
is a zone. 

3 Finding non-Zeno paths 

As we have remarked above, in order to use Theorem [7] we need to be sure that 
a path we get can be instantiated to a non-Zeno run. We discuss the solutions 
proposed in the literature, and then offer a better one. Thanks to pre-stability 
of the region graph, the progress criterion on regions has been defined in [I] for 
selecting runs from RG(A) that have a non-Zeno instantiation (see Section 1272)) . 
Notice that the semantics of TBA in [1] constrains all delays <5j to be strictly 
positive, but the progress criterion can be extended to the stronger semantics 
that is used nowadays (see |25] for instance). However, since zone graphs are 
not pre-stable, this method cannot be directly extended to zone graphs. 

3.1 Adding one clock 

A common solution to deal with Zeno runs is to transform an automaton into 
a strongly non-Zeno automaton, i.e. such that all runs satisfying the Biichi 
condition are guaranteed to be non-Zeno. We present this solution here and 
discuss why, although simple, it may add an exponential factor in the decision 
procedure. 

The main idea behind the transformation of A into a strongly non-Zeno 
automaton SN Z{A) is to ensure that on every accepting run, time elapses for 
1 time unit infinitely often. Hence, it is sufficient to check for the existence 
of an accepting run as it is non-Zeno for granted. Consider the automaton V k 
and its transformation into W k = SNZ(V k ) in Figure El The transformation 
adds one clock z and duplicates accepting states (e.g. a k in V k ). One copy 
is no longer accepting whereas the other is accepting, but it can be reached 
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Figure 4: Part of ZG(V 2 ) 




Figure 5: The gadget TZk- 



only when z > 1 (these are respectively a 2 and a \ in Wfc). Moreover, when an 
accepting state is reached z is reset to 0. As a result, every accepting run in 
Vfe has a corresponding run in Wk where every occurrence of a k is replaced by 
an occurrence of either or a 2 . Since two occurrences of the accepting state 
a\ have to be separated by at least one time unit, an accepting run in Wk is 
necessarily non-Zeno. 

A slightly different construction is mentioned in [2J. Of course one can 
also have other modifications, and it is impossible to treat all the imaginable 
constructions at once. Our objective here is to show that the constructions 
proposed in the literature produce a phenomenon causing proliferation of zones 
that can sometimes be exponential in the number of clocks. The discussion 
below will focus on the construction from [25] , but the one from [2] suffers from 
the same problem. 

The problem comes from the fact that the constraint z > 1 may be a source 
of rapid multiplication of the number of zones in the zone graph of SNZ{A). 
Consider Vt and Wk from Figure |3] and let us say that k — 2. Starting at the 
state b 2 of V 2 in the zone < y < x\ < x 2 , there are two reachable zones with 
state b 2 . This is depicted in Figure @] where after two traversals of the cycle 
formed by b 2 and a 2 , we reach a zone that is invariant for the cycle. Moreover, 
from the two zones with state b 2 in Figure SJ reseting x\ followed by y as 7£i 
(in Figure [5]) does, we reach the same zone < y < x\ < x 2 - 

In contrast starting in b 2 of Wi — SNZiy^) from < y < x\ < x 2 < z 
gives at least d zones. The part of ZG(W 2 ) in Figure H] gives the sequence of 
transitions in the zone graph of W 2 starting from the zone (b 2 , < y < x\ < 
x 2 < z) by successive iterations of the cycle that goes through b 2 , a\ and a 2 . 
After a certain point, every traversal induces an extra distance between the 
clocks y and z. Clearly, there are at least d zones in this case. Resetting x\ 
followed by y as 1Zi (in Figure [S]) does still yield d zones 
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Figure 6: Part of ZG(W 2 ). 
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Figure 7: Automata Ai (left) and B„ = SNZ(A n ) (right). 



We now exploit this fact to give an example of a TBA A n whose zone graph 
has a number of zones linear in the number of clocks, but B n = SNZ(A n ) has 
a zone graph of size exponential in the number of clocks. 

A n , in Figure [71 is constructed from the automata gadgets 14 and TZk as 
shown in Figures [3] and [5j Observe that the role of TZk is to enforce an order 
< y < x\ < ■ ■ ■ < Xk between clock values. By induction on k one can 
compute that there are only two zones at locations b k since IZk+i made the two 
zones in b k+1 collapse into the same zone in b k . Hence the number of nodes in 
the zone graph of A n is 0(n). 

Let us now consider B n , the strongly non-Zeno automaton obtained from A n 
following [25] . Every gadget Vk gets transformed to V\4 as shown in Figure [JJ 
While exploring Wk, one introduces a distance between the clocks Xk-i and Xk- 
So when leaving it one gets zones with Xk — Xk-i > c, where c 6 {0,1,2,..., d}. 
The distance between Xk and Xk-i is preserved by TZk- In consequence, W n 
produces at least d + 1 zones. For each of these zones W n -i produces d + 1 
more zones. In the end, the zone graph of B n has at least (d + l)™" 1 zones at 
the state b 2 . The zones obtained with the state b k are of the form 

= Xk-l < z < y < X k < ■ ■ . < x n 
Xi+\ — Xi > Cj where each Cj G {0, 1, . . . , d} 

i} 

So the zone graph has at least (d + l)" _ ' £ + 1 zones at state b k . Hence, the 
zone graph of B n contains at least (d+ l) n_1 zones. 

We have thus shown that A n has 0(n) zones while B n — SN Z(A n ) has an 
exponential number of zones even when the constant d is 1. One could argue 
that the transformation in |25) can be transformed in such a way to prevent the 
combinatorial explosion. In particular, it is often suggested to replace z > 1 by 
a guard that matches the biggest constant in the automaton, that is z > d in our 
case. However, this would still yield an exponential blowup as every zone with 
state b k yields two different zones with state b k ~ 1 that do not collapse going 
through TZk— i- Observe also that the construction shows that even with two 
clocks the number of zones blows exponentially in the binary representation of 
d. Note that the automaton A n does not have a non-Zeno accepting run. Hence, 
every search algorithm is compelled to explore all the zones of B n . 



= xi = ... 
A A 

?G{ fc, . . .,n— 
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3.2 A more efficient solution 



We aim to decide if a given path in a zone graph has a non-Zcno instantiation. 
This is equivalent to deciding if all instantiations of a path are Zeno. There are 
essentially two reasons for this: 

• there may be a clock x that is reset finitely many times but bound infinitely 
many times by guards x < c: 

x<l {x} x<2 x<l 

• • > • > • • -> • 



suffix with no reset of x 



• or time may not be able to elapse at all due to infinitely many transitions 
that check x = 0, forcing x to stay at 0: 



Our solution stems from a realization that we only need one non-Zeno run 
satisfying the Biichi condition and so in a way transforming an automaton to 
strongly non-Zeno is excessive. We propose not to modify the automaton, but 
to introduce additional information to the zone graph ZG a (A). The nodes will 
now be triples (q, Z, Y) where Y C X is the set of clocks that can potentially 
be equal to 0. It means in particular that other clock variables, i.e. those from 
X — Y are assumed to be bigger than 0. We write (X — Y) > for the constraint 
saying that all the variables in X — Y arc not 0. 

Definition 8 Let A be a TBA over a set of clocks X. The guessing zone graph 
GZG a (A) has nodes of the form (q, Z, Y) where (q, Z) is a node in ZG a (A) and 
FCI The initial node is (q , Z , X), with (q , Z ) the initial node of ZG a (A). 
In GZG a (A) there are transitions: 

• (q,Z,Y) 4 {q',Z',Y U R) if there is a transition (q,Z) 4 (q',Z r ) in 
ZG a (A) with t = (q, g, R,q'), and there are valuations v e Z, v' E Z' , 

and S e M>o such that u + 5\=(X-Y)>0 and (q, v) ^4 (q, v')\ 

• (q, Z, Y) —> (q, Z, Y'), on a new auxiliary letter t, for Y' = or Y' = Y. 

The additional component Y expresses some information about possible valu- 
ations with which we can take a transition. The first case is about transitions 
that are realizable when clocks outside Y are positive. While it is formulated 
in a more general way, one can think of this transition as being instantaneous: 
(5 = 0. Then we have the second kind of transitions, namely the transitions on 
t, that allow us to nondeterministically guess when time can pass. 

It will be useful to distinguish some types of transitions and nodes of GZG a (A). 

Definition 9 We call a transition of GZG a (A) a zero-check when some clock 
is forced to be equal to by the guard g of the transition; formally, for some 
clock x, for all v E Z , and all 5 € M>o such that v+5 \= g we have (v+5)(x) = 0. 
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The role of Y sets will become obvious in the construction below. In short, 
from a node (q,Z,$), that is with Y = 0, every reachable zero-check will be 
preceded by the reset of the variable that is checked, and hence nothing prevents 
a time elapse in this node. We will be particularly interested in the following 
types of nodes to find non-Zeno accepting runs. 

Definition 10 A node (q, Z,Y) of GZG a (A) is clear if the third component is 
empty: Y = 0. A node is A node is accepting if q is an accepting state. 

Example 11 Figure E] depicts a TBA A\ along with its zone graph ZG a (A\) 
and its guessing zone graph GZG a {Ai) where r-loops have been omitted. 

The guessing zone graph construction can be optimized by restricting the 
guessed sets to clocks that are indeed equal to zero in some valuation in the 
zone. For instance, from the node (b,x > l,{x}) in Figure [51 x cannot be 
checked for zero unless it is first reset. Hence, this node can safely be removed 
from GZG a (Ai), yielding a smaller graph. In the resulting graph, the only loop 
goes through a r transition. This emphasizes that time must elapse from node 
(a, x = 0, {a;}) in order to take a transition with guard x > 1. An optimized 
guessing zone graph construction is given in . 




Ai ZG a (Ai) GZG a (Ai) 



Figure 8: A TBA A\ and the guessing zone graph GZG a (A\) (with r self-loops 
omitted for clarity). 

Notice that directly from the definition it follows that a path in GZG a (A) 
determines a path in ZG a (A) obtained by removing r transitions and the third 
component from nodes. 

In order to state the main theorem succinctly we need some notions 

Definition 12 A variable x is bounded by a transition of GZG a (A) if the guard 
of the transition implies x < c for some constant c. More precisely: x is bounded 

by the transition (q,Z,Y) {q ' 9 ' R ' q,) } {q^Z',Y'), if for all v G Z and 8 G R> 
such that v + S N g, we have [y + S)(x) < c for some c 6 N. A variable is reset 
by the transition if it belongs to the reset set R of the transition. 
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Definition 13 We say that a path is blocked if there is a variable that is 
bounded infinitely often and reset only finitely often by the transitions on the 
path. Otherwise the path is called unblocked. 

Obviously, paths corresponding to non-Zeno runs are unblocked. 

Theorem 14 A TBA A has a non-Zeno run satisfying the Biichi condition iff 
there exists an unblocked path in GZG a (A) visiting both an accepting node and 
a clear node infinitely often. 

The proof of Theorem |T5] follows from Lemmas [15] and [TH] below. It is in 
Lemma [TBI that the third component of states is used. 

At the beginning of the section we had recalled that the progress criterion [TJ 
stated in page [5] characterizes the paths in region graphs that have non-Zeno 
instantiations. We had mentioned that it cannot be directly extended to zone 
graphs since their transitions are not pre-stable. Lemma Q1d] below shows that 
by slightly complicating the zone graph we can recover a result very similar to 
Lemma 4.13 in [TJ. 

Lemma 15 If A has a non-Zeno run satisfying the Biichi condition, then in 
GZG a (A) there is an unblocked path visiting both an accepting node and a 
clear node infinitely often. 

Proof 

Let p be a non-Zeno run of A: 

{q ,v ) > {91, Vl) > ■■■ 

By Theorem it is a concretization of a path a in ZG a (A) : 

(q ,Z ) % {qi,Z{) -i> ••• 

Let a' be the following sequence: 

(q , Z , Y ) A (q , Z , y ') % ( qi , Z X ,Y X ) A (q 1 ,Z 1 ,Y{) ^ • • • 

where Y n = X, Y t is determined by the transition, and T/ = Y^ unless <5j > 
when we put Y( = 0. We need to see that this is indeed a path in GZG a (A). 

For this we need to see that every transition (g,, Zi, Y() (qi+i, ■Zi+i, ^j+i) is 
realizable from a valuation v such that v 1= (X — Y() > 0. But an easy induction 
on i shows that actually Vi N (X — Y() > 0. 

Since p is non-Zeno there are infinitely many i with Y[ = 0. Since the initial 
run is non-Zeno, a' is unblocked. □ 

Lemma 16 Suppose GZG a (A) has an unblocked path visiting infinitely often 
both a clear node and an accepting node then A has a non-Zeno run satisfying 
the Biichi condition. 
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Proof 

Let a be a path in GZG a (A) as required by the assumptions of the lemma 
(without loss of generality we assume every alternate transition is a r transition): 

(q , Z , Y ) A (q , Z , Y£) % ■ ■ ■ (ft, Z u Y) A (ft, Z u Y{) 

Take a corresponding path in ZG a (A) and one instantiation p = (go, t'o), (91 > v i) ■ 
that exists by Theorem [7] If it is non-Zeno then we are done. 

Suppose p is Zeno. We now show how to build a non-Zeno instantiation 
of a from p. Let X r be the set of variables reset infinitely often on a. As a 
is unblocked, every variable not in X r is bounded only finitely often. Since 
p is Zeno, there is an index m such that the duration of the suffix of the run 
starting from (q m , v m ) is bounded by 1/2, and no transition in this suffix bounds 
a variable outside X r . Let n > m be such that every variable from X r is reset 
between m and n. Observe that v n (x) < 1/2 for every x G X r . 

Take positions i,j such that i,j > n, Yi — Yj = and all the variables from 
X r are reset between i and j. We look at the part of the run p: 

{Qi,Vi) (q i+ i,u i+ i) A ' +1 '*' +1 > . • . {qj,Vj) 
and claim that for every £ G IR>o the sequence of the form 

(ft, i/J > (q i+1 ,v i+1 ) > . . . {qj,^) 

is a part of a run of A where v' k for k = i, . . . , j satisfy: 

1. v' k {x) =u k (x) + C+ 1/2 for all x X r , 

2. v' k (x) = Vk(x) + 1/2 if x G X r and x has not been reset between i and fc. 

3. ^(x) = Vk{x) otherwise, i.e., when x G X r and a; has been reset between 
i and k. 

Before proving this claim, let us explain how to use it to conclude the proof. 
The claim shows that in (ft, !/,) we can pass 1/2 units of time and then construct 
a part of the run of A arriving at (qj, v'^) where v'^(x) = fj(x) for all variables 
in X r , and v'j(x) — Vj(x) + 1/2 for other variables. Now, we can find I > j, so 
that the pair has the same properties as We can pass 1/2 units of 

time in j and repeat the above construction getting a longer run that has passed 
1/2 units of time twice. This way we construct a run that passes 1/2 units of 
time infinitely often, hence it is non-Zeno. By the construction it passes also 
infinitely often through accepting nodes. 

It remains to prove the claim. Take a transition (qk,Vk) h,th ) (ftc+i, 1^+1) 
and show that (qk,v' k ) Sk ' tk ) (q^+i, v' k+1 ) is also a transition allowed by the 
automaton. Let g and R be the guard of tk and the reset of tk, respectively. 

First we need to show that v' k + 8k satisfies the guard of tk- For this, we 
need to check if for every variable x G X the constraints in g concerning x are 
satisfied. We have three cases: 
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• If x ^ X r then x is not bounded by the transition tk , that means that in g 
the constraints on x are of the form (x > c) or (x > c). Since (i>k + Sk)(x) 
satisfies these constraints so does (y' k + Sk)(x) > [i>k + 6k)(x). 

• If x E X r and it is reset between i and k then v' k {x) — v^(x) so we are 
done. 

• Otherwise, we observe that x £ Yfe. This is because Yi — 0, and then only 
variables that are reset are added to Y. Since x is not reset between i 
and k, it cannot be in Y k . By definition of transitions in GZG a (A) this 
means that g A (x > 0) is consistent. We have that < (v k + 5k)(x) < 1/2 
and 1/2 < + 5fc)(x) < 1. So ^ + 5fe satisfies all the constraints in g 
concerning x as Uk + #fc does. 

This shows that there is a transition i/jj.) Sk ' tk y (q k+li v') for the uniquely 
determined v' = [R](i/ k + 5k)- It is enough to show that v' = v' k+1 - For variables 
not in X r it is clear as they are not reset. For variables that have been reset 
between i and k this is also clear as they have the same values in v' k+1 and v' . 
For the remaining variables, if a variable is not reset by the transition tk then 
its value is the same in v' and v' k . If it is reset then its value in v' becomes 0; 
but so it is in v' k+1 , and so the third condition holds. This proves the claim. □ 

Finally, we provide an explanation as to why the proposed solution does 
not produce an exponential blowup. At first it may seem that we have gained 
nothing because when adding arbitrary sets Y we have automatically caused 
exponential blowup to the zone graph. We claim that this is not the case for 
the part of GZG a (A) reachable from the initial node, namely a node with the 
initial state of A, the zone putting every clock to 0, and Y = X. 

We say that a zone orders clocks if for every two clocks x, y, the zone implies 
that at least one of x < y, or y < x holds. 

Lemma 17 If a node with a zone Z is reachable from the initial node of the 
zone graph ZG a (A) then Z orders clocks. The same holds for GZG a (A). 

Proof 

First notice that in the initial zone, all the clocks are equal to each other. Now, 
consider a zone Z that orders clocks. Let (q, Z) — > (q',Z') be a transition of 

ZG a (A). This means that there exists a transition (q, Z) — > (q',Z[) in the 
(unabstracted) zone graph ZG(A) such that Z' = Approx M (Z[) . Directly from 
the definition of transitions we have that Z' x orders clocks. It remains to check 
that, the clock ordering in Z' Y is preserved in Z' = Approx M (Z[). Suppose not, 
then let x\ < ■ ■ ■ < x n be the ordering in Z[. We get that Z' A {x\ < ■ ■ ■ < x n ) 
is a smaller convex union of d-regions than Z' that contains Z'-^ (recall that 
M > 0) - a contradiction. For the second statement observe that for every 
node (q, Z, Y) in GZG a (A), (q, Z) is reachable in ZG a (A). □ 

Suppose that Z orders clocks. We say that a set of clocks Y respects the 
order given by Z if whenever y e Y and Z implies x < y then x e Y. In other 
words, Y is downward closed with respect to the ordering constraint in Z. 
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Lemma 18 If a node (q, Z, Y) is reachable from the initial node of the guessing 
zone graph GZG a {A) then Y respects the order given by Z. 

Proof 

The proof is by induction on the length of a path. In the initial node (qo, Zq, X), 
the set X obviously respects the order as it is the set of all clocks. Now take 
a transition (q, Z,Y) —¥ (g', Z' ,Y') with Y respecting the order in Z. We need 
to show that Y' respects the order in Z' . By the definition of transitions in 

GZG a (A) there are v E Z, v 1 E Z' and 5 E M> such that {q,v) ^ (q' ' ,v') 
and v + S 1= (X — Y) > 0. Take y E Y' and suppose that Z' implies x < y for 
some clock x. There are three cases depending on which of the variables y, x 
are being reset by the transition. 

• If a; is reset by the transition then, by definition x E Y' . 

• If y is reset then Z' implies y — 0. Hence Z' implies that x = 0. When x 
is not reset, x is checked for on i. Hence, x E Y and x E Y' . 

• The remaining case is when none of the two variables is reset by the 
transition. As v' E Z\ we have that v' N x < y; and in consequence 
v 1= x < y. Since Z orders clocks and v E Z, we must have that Z implies 
x < y- As y has not been reset, y E Y. By assumption that Y orders 
clocks, x E Y. 

□ 

The above two lemmas give us the desired bound. 

Theorem 19 Let \ZG a (A)\ be the size of the zone graph, and \X\ be the number 
of clocks in A. The number of reachable nodes of GZG a (A) is bounded by 
\ZG a {A)\.{\X\ + l). 

The theorem follows directly from the above two lemmas. Of course, imposing 
that zones have ordered clocks in the definition of GZG a (A) we would get the 
same bound for the entire GZG a (A). 

3.3 Examples of guessing zone graphs 

Figure [8] in Section depicts a TBA A x along with ZG a {Ai) and GZG a {Ai) 

x<l,{x} 

(where the r- loops have been omitted). In order to fire transition b - > a 

time must not elapse in b. The third component Y does not help to detect 
that time cannot elapse in b as in GZG a (Ai) the transition is allowed for both 
Y = {x} and Y = 0. However, as soon as a strongly-connected component 
(SCC) contains a transition x > 1 and a transition that resets x, it has a non- 
Zeno run, and the third component does not play any role. 

The third component is only useful for the case where an SCC contains no 
transition with a guard implying x > for some clock x that is also reset on 



18 



some transition in the SCC. In such a case, zero-checks may prevent time to 
elapse. We illustrate this case on the next two examples that emphasize how 
the third component added to the states of the zone graph allows to distinguish 
between Zeno runs and non-Zeno runs. 

The TB A A2 shown in Figure [5] has only runs where the time cannot elapse 
at all. This is detected in GZG a (A2) as all states in the only non-trivial SCC 
have Y = {x, y} as the third component. This means that from every state 
there exists a reachable zero-check that is not preceded by the corresponding 
reset, hence preventing time to elapse. Notice that the correctness of this ar- 
gument relies on the fact that for every (q,Z,Y) in GZG a {A2) 1 and for every 
transition t — (q,g,R,q'), even if t is fireable in ZG a {A2) from (q,Z), it must 
also be fireable under the supplementary hypothesis {X — Y) > given by Y in 
GZG a {A 2 ). 

The TBA .A3 in Figure [5] admits a non-Zeno run. This can be read from 
GZG a {A-i) since the SCC composed of the four zones with Y = {x, y} together 
with (z2, 0) and (23, {y}) contains a clear node. This is precisely the state where 
time can elapse as every reachable zero-check is preceded by the corresponding 
reset. 

4 Algorithm 

In this section, we provide an on-the-fly algorithm for the Biichi non-emptiness 
problem using the guessing zone graph construction developed in Section 13.21 
In the later part of the section, we observe that in most cases, non-Zenoness 
could be detected directly from the standard zone graph, without extra con- 
struction. We provide an optimized on-the-fly algorithm taking into account 
these observations. 

We will use Theorem [14] to algorithmically check if an automaton A has 
a non-Zeno run satisfying the Biichi condition. The theorem requires to find 
an unblocked path in GZG a (A) visiting both an accepting node and a clear 
node infinitely often. This problem is similar to that of testing for emptiness of 
automata with generalized Biichi conditions as we need to satisfy two infinitary 
conditions at the same time. The requirement of a path being unblocked adds 
additional complexity to the problem. The best algorithms for testing emptiness 
of automata with generalized Biichi conditions are based on Tarjan's algorithm 
for strongly connected components (SCC) [23J H3- So this is the way we take 
here. In particular, we adopt the variant given by Couvreur [TT1 112) . 

In general, the verification problem for timed systems involves checking if a 
network of timed automata A\ , . . . , A n satisfies a given property </>. Assuming 
that 4> can be translated into a (timed) Biichi automaton A^, we reduce the 
verification problem to the emptiness of a timed Biichi automaton A defined as 
a product A\ x A2 X • • • x A n x A->$ for some synchronization policy. Couvreur's 
algorithm is an extension of Tarjan's algorithm for computing maximal SCCs in 
a graph. One of its main features is that it stops as soon as a (non necessarily 
maximal) SCC with an accepting state has been found. In addition, it handles 
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clarity) 
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multiple accepting conditions efficiently. To this regard, the algorithm computes 
the set of accepting conditions in each SCC of A. Initially, each state s in A 
is considered as a trivial SCC labelled with the accepting conditions of s. The 
algorithm computes the states of A on-the-fly in a depth- first search (DFS) 
manner starting from the initial state. During the search, when a cycle is 
found, all the SCCs in the cycle are merged into a bigger SCC T that inherits 
their accepting conditions. If T contains all the required accepting conditions, 
the algorithm stops declaring A to be not empty. Notice that T need not be 
maximal. Otherwise it resumes the DFS on A. We direct the reader to [ITJ [TH 
[TB] for further details on the Couvreur's algorithm. 

In the next section, we show how to enhance Couvreur's algorithm to detect 
runs that are not only accepting but also non-Zeno. It is achieved by associating 
extra information to the SCCs in A. This information is updated when SCCs 
are merged like for accepting conditions. 

4.1 Emptiness check on GZG a (A) 

We apply Couvreur's algorithm for detecting maximal SCCs in GZG a (A). Dur- 
ing the computation of the maximal SCCs, we keep track of whether an accept- 
ing node and a clear node have been seen. For the unblocked condition we 
use two sets of clocks Ur and Rr that respectively contain the clocks that are 
bounded and the clocks that are reset in the SCC T. A clock from Ur — Rr is 
called blocking since being bounded and not reset it puts a limit on the time 
that can pass. At the end of the exploration of T we check if: 

1. we have passed through an accepting node and a clear node, 

2. there are no blocking clocks: Ur C Rr. 

If the two conditions are satisfied then we can conclude saying that A has an 
accepting non-Zeno run. Indeed, a path passing infinitely often through all the 
nodes of T would satisfy the conditions of Theorem 1 141 giving a required run of 
A. If the first condition does not hold then the same theorem says that T does 
not have a witness for a non-Zeno run of A satisfying the Biichi condition. 

The interesting case is when the first condition holds but not the second. 
The following lemma yields an algorithm in that case. 

Lemma 20 Let T be an SCC in GZG a (A) with an accepting node and a clear 
node, and such that Ur % Rr- There exists an unblocked path in T that visits 
both an accepting node and a clear node infinitely often iff there exists a sub- 
SCC fcr with an accepting node and a clear node and such that Ur> Q Rr' ■ 

Proof 

Assume that T has an unblocked path that visits both an accepting node and 
a clear node infinitely often. Then, define V as the set of nodes and edges that 
are visited infinitely often on that path. 

Conversely, if such a sub-SCC V exists, then consider an infinite path in T' 
that goes infinitely often through each node and each transition in V . This path 
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is unblocked and visits both an accepting node and a clear node. This path is 
also a path in T. □ 



We call blocking edges all the edges in T that bound a clock from Ur\Rr- We 
proceed as follows. We discard all the blocking edges from T as every unblocked 
path in T goes only finitely many times through these edges. In general, this 
yields several candidates for V . Each of them is a proper sub-SCC of T. Then, 
we restart our algorithm on each such T'. Since we have discarded some edges 
from r (hence some resets), a clock may be now blocking in V . If this is the case, 
the blocking edges in T' will be discarded, and the resulting sub-SCCs of V will 
be explored, and so on. Observe that each transition in GZG a (A) will be visited 
at most \X\ + 1 times, as we eliminate at least one clock at each restart. If after 
exploring the entire graph, the algorithm has not found a subgraph satisfying 
the two conditions then it declares that there is no run of A with the desired 
properties. The correctness of the procedure is based on Theorem [HI All the 
procedure: exploring T, discarding blocking edges, exploring all T' candidates, 
etc, can be done on-the-fly without storing T as described in [T5] . 

Recall that by Theorem [H the size of GZG a {A) is <D(\ZG a {A)\ ■ \X\). The 
complexity of the algorithm follows from the linear complexity of Couvreur's al- 
gorithm and the remark about the bound on the number of times each transition 
is visited. We hence obtain the following. 

Theorem 21 The above algorithm is correct and runs in time 0(\ZG a (A)\ ■ 



Although the guessing zone graph provides a way to detect non-Zeno paths, 
it is useful only when the automaton indeed contains zero-checks. The next 
challenge therefore lies in optimizing the use of the guessing zone graph con- 
struction, that is, applying Couvreur's algorithm directly on the standard zone 
graph and using the guessing zone graph construction only when required. 

4.2 Optimized use of guessing zone graph construction 

The idea is to apply Couvreur's algorithm directly on ZG a (A) and find an 
SCC with an accepting node. An SCC is said to be unblocked if it contains 
no blocking clock; recall that it is a clock x that is checked for a guard which 
implies x < c for a constant c and that is reset in no transition of the SCC. 

Non-Zenoness can be ensured if the SCC satisfies one of the following con- 
ditions: 

• It is unblocked and free from zero-checks. A zero-check is detected for a 
transition (g, Z) ^— > [q' , Z') and some clock x when for each v £ Z and 
5 G K>o such that v + 6 N g, we have (y + S)(x) = 0. 

• There is a clock x that is reset in the SCC and one of the transitions in 
the SCC implies x > 1. 
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For the second condition, note that such a reachable SCC instantiates into 
a path p of A whose suffix corresponds to repeated traversal of this SCC. Every 
traversal resets x and checks for a guard that implies x > 1. Therefore, at 
least 1 time unit elapses in each traversal, implying that p is a non-Zeno run. 
Notice that this relies on the same principle as the one used in the Strongly 
Non-Zeno construction (32) (see Section |3~TT) . However, in our case we exploit 
the information from A: we do not add any new clock. Our algorithm will 
compute on the fly the set Lp of clocks x such that x > 1 is implied by some 
guard in T. This is done in the same way as for Ur in the previous subsection. 
Then, F satisfies the second condition above if Lr H Rr is not empty. 

The first condition is justified by the following lemma. 

Lemma 22 If ZG a (A) has an unblocked path that visits an accepting node 
infinitely often, and has only finitely many transitions with zero-checks, then A 
has a non-Zeno run satisfying the Biichi condition. 

Proof 

Let cr be the path in ZG a {A) as required by the assumptions of the lemma: 

(qo,Z ) ...(q t ,Zi) ... 
Since zero-checks occur only finitely often in <r, we can find j such that the 

suffix (qj,Zj) — 4> ... of cr contains no zero-checks in its transitions. Let cr' be 
the following sequence: 

(q , Z , Y ) A (g , Z , Yfi % {q u Z 1 ,Y l ) ^ {q^Z u Y[) ^ ■ ■ ■ 

where Yo = X, Yj, is determined by the transition, and Y[ = Yj, for all i < j 
and for i > j, Y( = 0. Note that a' is a path in GZG a {A). For this to be 

true, each transition (qi,Zi,Y[) — ^ (qi + i, Zi + i,Yi + i) should be realizable from 
a valuation Vi such that V{ 1= (X — Y() > 0. This is vacuously true if % < j 
since Y( = X for all i < j. For i > j, Y[ = and since U does not contain 
a zero-check, the transition is realizable from a valuation v$ in which all clocks 
are strictly greater than 0. 

Since a is unblocked, cr' is unblocked too. By definition all but finitely many 
nodes for cr' are clear. Finally, cr' visits an accepting node infinitely often. By 
Theorem Q3J A has a non-Zeno run satisfying the Biichi condition. □ 

The above two observations give a sufficient condition for terminating with 
a success when an SCC T with an accepting node is found in ZG a (A). If the 
above two conditions do not hold, then T has no clock bounded from below (i.e. 
x > 1) and r either has blocking clocks or zero-checks. If it has only blocking 
clocks, we apply the procedure that restarts the exploration with blocking edges 
removed, as described in Section 14.11 If T has zero-checks, we indeed use the 
guessing zone graph construction, however restricted only to the nodes ofT. The 
problem is to know the initial set of clocks that need to be zero. We first define 
a few notations. 
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Let (q r ,Z r ) be the root of T as determined by Couvreur's algorithm. Let 
GZG^ T {A) be the part of GZG a (A) rooted at (q r ,Z r ,X) and restricted only 
to the nodes and transitions that occur in T. We say that a run p of A is 
trapped in an SCC T of ZG a (A) if a suffix of p is an instantiation of a path in 
r. The following lemma justifies the use of the restricted guessing zone graph 
construction starting from (q r , Z v , X). 

Lemma 23 The automaton A has an accepting non-Zeno run trapped in an 
SCC T of ZG a (A) iff GZG e { r has an SCC that is accepting, unblocked and 
contains a clear node. 

Proof 

For the left-right direction, consider the following run p of A trapped in T: 
(<7o, v ) . . . (q m , v m ) Sm ' tm ) . . . 

where q m = q r , v m 6 Z T and (q r , Z T ) is the root of T. Consider the sequence 
a': 

(q ,z ,Y ) A (90,^0,^0) (91,^1,^1) ^> (qi,Zi,Y{) ■■■ 

where 

• (qo,Zo) is the initial node of ZG a (A), the zone Zi is determined by the 
transition 

• Y = is determined by the transition, 

• Y( — Yi for all i < m; for i > m, Y( — if 5i > and y/ = Fj otherwise. 

Observe that Y m — X and the suffix of a' starting from (qm, Z m ,Y m ) is a 
path of GZG\ V (A) . Since there are infinitely many i with Si > 0, this suffix 
corresponds to an SCC that has a clear node. It is accepting and unblocked 
since the run p that we started with is accepting and non-Zeno. 

For the right-left direction, note that an accepting, unblocked SCC with 
a clear node in GZG^ r (A) corresponds to an accepting, unblocked path of 
GZG a (A) starting from (q r ,Z r ,X) that visits a clear node infinitely often. 
It is straightforward to see that (q r ,Z r ,X) is reachable from the initial node 
(go, Zq, X) of GZG a (A) through a path in which for all transitions (q, Z, Y) ^> 
(q',Z',Y'), Y' = Y. Indeed, the restriction of GZG a (A) to its nodes with 
Y = X is isomorphic to the zone graph ZG a (A). From this path of GZG a {A) 
and using Lemma [TH1 we can construct a accepting, non-Zeno run of A that is 
trapped in Y. □ 

Based on the above observations, we give the schema of the overall opti- 
mized algorithm in Figure 1101 In the worst case, the algorithm runs in time 
C(|ZG a (^l)| • |^| 2 ). When the automaton does not have zero-checks it runs in 
time 0(\ZG a (A)\ ■ \X\). When the automaton further has no blocking clocks, 
it runs in time 0(\ZG a (A)\). 
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A 



Compute ZG a (A) 
using Couvreur's algorithm 



Finish 



A is empty 



Found SCC F 
with accepting node 



T has lower-bounded clock? 
or is r 

unblocked, free from zero-checks? 



Yes 



A is non-empty 



No 



Is r maximal? 



No 



No 



Continue * 



Yes 



r has zero-checks? 



Yes 



Is there a sub-SCC 
with accepting node £ 
no blocking clocks? 



GZG? T {A) has SCC 
with accepting node, 
clear node & 
no blocking clocks? 



No 

Continue * 



Yes 



Yes 



No 

Continue * 



A is non-empty 



Figure 10: Algorithm to check for Biichi emptiness of A. "Continue" loops back 
to computing ZG a (A) using Couvreur's Algorithm. 



5 Experiments 

We have implemented our algorithms in a prototype verification tool. Given a 
network Ai , . . . , A n of timed Biichi automata, we want to check if this network 
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satisfies a property specified in some logic. We consider a property <f> that 
can be translated into a timed automaton A^ such that the network satisfies 
4> iff the product timed automaton Ax x . . . A n x .A-,^ has an empty language. 
Table [T] presents the results that we obtained on several classical examples. The 
"Models" column represents the product of the network Timed Biichi Automata 
and the property to verify. We give the number of processes in the network for 
each model. A tick in the "Sat." columns tells that the property is satisfied 
by the model. The "Zone Graph" column gives the number of nodes in the 
zone graph. Next, for the "Strongly non-Zeno" construction, we give the size 
of the resulting zone graph followed by the number of nodes that are visited 
during verification using the Couvreur's algorithm. Similarly for the "Guessing 
Zone Graph" but using the algorithm in section |4~T1 Finally, the last column 
corresponds to our fully optimized algorithm as described in section f4. 2 1 

We have considered three types of properties: reachability properties (mu- 
tual exclusion, collision detection for CSMA/CD), liveness properties (access to 
the resource infinitely often), and bounded response properties (which are reach- 
ability properties with real-time requirements). Reachability properties require 
to find a path to a target state starting from the initial state. Although this 
path is a finite sequence, it is realistic only if this finite sequence can be extended 
to a non-Zeno path of the automaton. Therefore, while verifying reachability 
properties, we check if the automaton has a non-Zeno path that contains the 
target state. 

The strongly non-Zeno construction outperforms the guessing zone graph 
construction for reachability properties. This is particularly the case for mutual 
exclusion on the Fischer's protocol and collision detection for the CSMA/CD 
protocol. For liveness properties, the results are more balanced. On the one 
hand, the strongly non-Zeno construction is once again more efficient for the 
CSMA/CD protocol. On the other hand the differences are tight in the case of 
Fischer protocol. The guessing zone graph construction distinguishes itself for 
bounded response properties. Indeed, the Train-Gate model is an example of 
exponential blowup for the strongly non-Zeno construction. 

We notice that on-the-fly algorithms perform well. Even when the graphs 
are big, particularly in case when automata are not empty, the algorithms are 
able to conclude after having explored only a small part of the graph. Our 
optimized algorithm outperforms the two others on most examples. Particularly, 
for the CSMA/CD protocol with 5 stations our algorithm needs to visit only 
4841 nodes while the two other methods visited 8437 and 21038 nodes. This 
confirms our initial hypothesis: most of the time, the zone graph contains enough 
information to ensure time progress. As a consequence, checking non-Zenoness 
and emptiness is done at the same cost as checking emptiness only. This is in 
turn achieved at a cost that is similar to reachability checking. 

Our optimization using lower bounds on clocks also proves useful for the 
FDDI protocol example. One of its processes has zero-checks, but since some 
other clock is bounded from below and reset, it was not necessary to explore 
the guessing zone graph to conclude non-emptiness. 



26 



Models {A) 


Sat. 


ZG a (A) 


ZG U (SNZ(A)) 


GZG"(A) 


O p 1 1 m 12 col 


size 


size 


visited 


size 


visited 


visited 


Train-Gatc2 (mutcx) 




134 


194 


194 


400 


400 


134 


Train-Gatc2 (bound, rcsp.) 




988 


227482 


352 


3840 


1137 


292 


Train-Gatc2 (livcnoss) 




100 


217 


35 


298 


53 


33 


Fischcr3 (mutcx) 




1837 


3859 


3859 


7292 


7292 


1837 


Fischcr4 (mutcx) 


V 


46129 


96913 


96913 


229058 


229058 


46129 


Fischcr3 (livcncss) 


1315 


4962 


52 


5222 


64 


40 


Fischcr4 (livcncss) 




33577 


147167 


223 


166778 


331 


207 


FDDI3 (livcncss) 




508 


1305 


44 


3654 


79 


42 


FDDI5 (liveness) 




6006 


15030 


90 


67819 


169 


88 


FDDI3 (bound, rcsp.) 




6252 


41746 


59 


52242 


114 


60 


CSMA/CD4 (collision) 
CSMA/CD5 (collision) 
CSMA/CD4 (liveness) 
CSMA/CD5 (livcncss) 


V 
V 


4253 
45527 

3038 
32751 


7588 
80776 
9576 
120166 


7588 
80776 
1480 
8437 


20146 
260026 

14388 
186744 


20146 
260026 
3075 
21038 


4253 
45527 
832 
4841 



Table 1: Experimental Results. The "Sat." column tells which properties 
are satisfied by the model. The "size" columns give the number of nodes in 
the corresponding graphs. The "visited" columns give the number of nodes 
that are visited by the corresponding algorithm. The results correspond to 
the Couvreur's algorithm for ZG a (SNZ(A)), the algorithm in Section |4~T1 for 
GZG a (A) and the algorithm in Section 14.21 for the "Optimized" column. 

6 Conclusions 

The Biichi non-emptiness problem is one of the standard problems for timed 
automata. Since the paper introducing the model, it has been widely accepted 
that the addition of one auxiliary clock is an adequate method to deal with the 
problem of Zeno paths. This technique is also used in the recently proposed 
zone based algorithm for the problem [53] . 

In this paper, we have shown that in some cases the auxiliary clock may 
cause exponential blowup in the size of the zone graph. We have proposed an- 
other method that is based on a modification of the zone graph. The resulting 
graph grows only by a factor that is linear in the number of clocks. In our opin- 
ion, the efficiency gains of our method outweigh the fact that it requires some 
small modifications in the code dealing with zone graph exploration. Moreover, 
liveness can be checked at the same cost as reachability as demonstrated by 
our experiments. This also shows that in most cases the zone graph already 
contains enough information to handle non-Zenoness. 

As future work we plan to extend our algorithm to commonly used syntactic 
extensions of timed automata. For example, UPPAAL and Kronos allow reset 
of clocks to arbitrary values, which is convenient for modeling real life systems. 
This would require to extend the guessing zone graph construction and con- 
sequently our algorithm. In this paper, we considered the Approx abstraction 
that has been largely improved by later works |3] . It has been shown that these 
new abstractions preserve Biichi conditions [21] . We plan to study the exten- 
sion of our technique to these abstractions. Finally, we also plan to extend our 
construction to extract non-Zeno strategies in timed games. 
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